ssh public keys and pam

Jason Gerfen jason.gerfen at scl.utah.edu
Thu Oct 20 19:36:04 UTC 2005 

I am not an expert on SSH, but storing the public key in LDAP would only 
allow you to authenticate the machine against the stored key in LDAP.  I 
am a little bit in the dark as to how you would authenticate the user 
this way, unless you had the user enter the passphrase used to create 
the public key and use that as the PAM_AUTHTOK value.

Perhaps some more information on it?

Daniel Jacober wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Jason
>
>Yes that's exactly what I would like to do.
>I would like to store the SSH public keys in an LDAP - Directory
>instead of storing them locally.
>Then I would like to authenticate against those keys. This way I could
>control access to all our servers via LDAP.
>
>I first tried to hack pam_ldap - module but I read about issues in a
>newsgroup
>
>http://www.opensolaris.org/jive/thread.jspa?threadID=614&tstart=15
>
>Therefore I tried to make my own module. But I can't find a way to get
>the public key into the pam-module. All I get is the password after
>SSH pubkey authentication fails.
>
>Any hint on this subject is greatly appreciated.
>
>Regards Daniel
>
>  
>
>>I don't have experience working with ssh keys, but with PAM and
>>LDAP. What exactly do you want to do? Use the SSH keys as
>>authentication or something?
>>
>>Daniel Jacober wrote:
>>
>>    
>>
>>>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>>Eric
>>>
>>>Thanks for your hint, nevertheless I would like to get the public
>>>key into the pam_module. Does anyone have experience with that?
>>>
>>>Regards Daniel
>>>
>>>
>>>
>>>      
>>>
>>>>Here's what I'm trying to do: I would like to store my public
>>>>keys centrally on an LDAP - Server and redirect public key
>>>>authentication with PAM to the LDAP - Server.
>>>>
>>>>        
>>>>
>>>
>>>Sounds like you're looking for OpenSSH LDAP public key support.
>>>There's a patch here:
>>>
>>>http://www.opendarwin.org/projects/openssh-lpk/
>>>
>>>- -Eric
>>>
>>>      
>>>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFDWAtW+Jpc4lzks7cRAoOIAKCcg9W6CS826+55FLg2iSzhzrhlygCffZFG
>6hyTaC4um1Ohg9q9kSc5oVo=
>=RFTn
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Pam-list mailing list
>Pam-list at redhat.com
>https://www.redhat.com/mailman/listinfo/pam-list
>  
>


-- 
Jason Gerfen

"My girlfriend threated to
 leave me if I went boarding...
 I will miss her."
 ~ DIATRIBE aka FBITKK

More information about the Pam-list mailing list